On 17 May 2024, AddComm experienced a data breach. A serious hack that changed our world. The impact was significant, not only on our systems and processes, but also on our customers and our people. While the situation is now under control, the insights I have gained since then are invaluable. That is why I am sharing the five most important lessons I personally learned over the past year.
It is tempting to see data security as something that belongs mainly to “the technical team”. I learned the hard way that this is not true. Security must be an integral part of how you run your business. It affects your continuity, your reputation and your customers. As a leadership team, you cannot delegate this responsibility. You need to understand the risks, how they are mitigated and how to act when something goes wrong.
Since the data breach, I have immersed myself in data security, simply because it is necessary to take responsibility as a CEO. It allows me to ask sharper questions and properly assess decisions. Security belongs at the boardroom table just as much as finance or strategy. You cannot be a customer-centric organisation if the security of customer data is not in order.
At AddComm, our processes are well organised. We are ISO 27001 and ISO 9001 certified. We undergo annual ISAE 3402 type II audits. We train our employees so they understand the correct procedures. And still, things went wrong. What I learned from this is that procedures on paper are no guarantee of data security in practice.
There are essentially two ways to approach data security. You can establish clear agreements around process-driven, risk-based working, which requires carefully considering the type of people your organisation needs. Alternatively, you can set up stricter user rights within your IT infrastructure to protect people from making mistakes. Yes, that may mean logging in an extra time for certain actions.
In reality, the strongest approach is a combination of both. Either way, it is crucial to lead by example and create support within your organisation. Everything depends on demonstrating how seriously leadership takes these risks.
Many companies prefer to share as little as possible when something goes wrong. When our data breach came to light, we consciously chose to be open and transparent. We informed customers immediately and provided updates whenever there were changes. As a result, several customers told us that this confirmed we were the right partner for them. Not because everything went perfectly, but because we were honest about what was happening.
What I learned is that how you handle an incident is decisive for your customer relationships. If you hide, you lose trust. If you engage in dialogue, you can even come out stronger.
What surprised me most during the aftermath of the data breach was that customers often did not fully know which data we processed for them. This makes it even more important to stay in control as an organisation. Where is your data stored, how long is it retained and why? Which IT suppliers do you work with and how do you know they have their security in order?
Since the breach, we ask far more targeted questions. We want to know exactly who supplies what data, for which purpose and how long it is stored. Not because we distrust our partners, but because we take our responsibility seriously.
The final lesson may be the simplest one: you cannot do this alone. Cybersecurity is complex, constantly evolving and requires specialised expertise that most organisations do not have in-house. Of course, you can organise a lot internally, but there is always a limit to what your own team can handle, especially in an SME. The first step is acknowledging where your expertise falls short and making sure it is supplemented.
The key question is no longer “how do we prevent being hacked?” Instead, a better question is “how do we respond when it does happen?”
This experience has changed me as a CEO. I now understand more clearly than ever what truly matters in times of crisis: leadership, transparency and the willingness to make difficult choices. I carry these lessons not only into how we work, but also into the development decisions we make for our Flowize platform at AddComm.
Curious how we can help your organisation set up customer communication that is both smarter and more secure?